1. Field of the Invention
This invention relates to the field of data processing systems. More particularly, this invention relates to the field of identifying computer files containing malware, such as, for example, computer viruses, worms, Trojans and the like.
2. Description of the Prior Art
It is known to provide malware identifying mechanisms that search computer files for sequences of computer instructions that are characteristic of particular items of malware, e.g. virus signatures comprising particular sequences of opcodes at particular locations within a computer file. It is also known to provide malware scanning systems that utilise a heuristic approach to identifying malware whereby the computer code is analysed to identify the type of actions it will perform and suspicious actions are recognised. If sufficient suspicious activity is identified, then the computer file will be treated as if it contains malware.
Searching for virus signatures has the disadvantage that the viruses must be already known to the system in that the appropriate virus signature must have already been generated and distributed. Thus, this virus protection is always one step behind the virus writers and there will be a finite period of time between release of a new virus and the virus signatures becoming available during which virus signature detection will not be effective for the newly released virus.
Heuristic detection techniques can be more effective for new viruses in that new viruses can be detected even though they have not previously been encountered since they will display suspicious activity that can be identified by heuristic analysis. However, a significant disadvantage of heuristic scanning is that it requires a considerable amount of data processing resource to perform which disadvantageously slows the malware scanning operation. Furthermore, as new types of suspicious activity are discovered, it is a complicated and expensive task to develop new heuristic analysis tools to detect such suspicious actions.
Measures which can improve the ability to detect malware whilst avoiding an excessive increase in the amount of required processing resource are strongly advantageous.